- This article is a Community contribution and may include unsupported customizations.

- This article is a Work in Progress, and may be unfinished or missing sections.

Introduction

During a security scan you may get a list of insecure/non-compliant ciphers. The most common one is the BEAST vulnerability.
Disabling certain cipher-suites sorts this out. Zimbra uses OpenSSL, so we just have to obtain the cipher name with the OpenSSL equivalent of it, and then disable it accordingly.

So for example, if the security scan shows 'AES256-SHA' has to be disabled, on scrolling down the list, (or doing a quick ctrl+f for AES256-SHA), this line comes up:

TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA

This is how we can obtain the relevant argument for '+zimbraSSLExcludeCipherSuites'.

The actual command to disable it would be:

zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_256_CBC_SHA

And then we restart mailbox, with:

zmmailboxdctl restart

Please note the '+' sign in front of 'zimbraSSLExcludeCipherSuites. That adds to the list of cipher suites to be excluded. Not including the '+' sign is dangerous, as it causes the list to be overwritten, and thus only the last cipher suite is included in the list.

Testing if it is enabled or disabled:

You can perform a quick test to see if a cipher suite is supported, by running the following on the Zimbra server:

openssl s_time -connect localhost:443 -new -cipher AES256-SHA

Note that the argument for '-cipher' is the original cipher suite name, and not the OpenSSL equivalent.
If the cipher is enabled, the output would be similar to:

Disabling all known ones at once

Now, since mailbox needs to be restarted, you will need to do it during a downtime. The problem here is that as there can be multiple ciphers that fail the scan, the process you would have to follow is:
Do security scan -> find name of cipher -> disable cipher -> do scan again, and so on and so forth.

So to make it a little easier, this is a list of cipher suites that clients have disabled to pass their tests. This includes the BEAST vulnerability.

Note: This disables most block ciphers, because those were the ones affected by BEAST. Disabling some of these may break some services[1].